From 9ce9891eda27e795842235191242d30adbed875f Mon Sep 17 00:00:00 2001 From: bms Date: Wed, 11 Feb 2004 04:34:34 +0000 Subject: Initial import of RFC 2385 (TCP-MD5) digest support. This is the second of two commits; bring in the userland support to finish. Teach libipsec and setkey about the tcp-md5 class of security associations, thus allowing administrators to add per-host keys to the SADB for use by the tcpsignature_compute() function. Document that a single SPI must be used until such time as the code which adds support to the SPD to specify flows for tcp-md5 treatment is suitable for production. Sponsored by: sentex.net --- usr.sbin/setkey/setkey.8 | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'usr.sbin/setkey/setkey.8') diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index 1e03edf..567dde4 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -252,6 +252,8 @@ AH based on rfc2402 AH based on rfc1826 .It Li ipcomp IPComp +.It Li tcp +TCP-MD5 based on rfc2385 .El .\" .Pp @@ -265,6 +267,8 @@ must be a decimal number, or a hexadecimal number with prefix. SPI values between 0 and 255 are reserved for future use by IANA and they cannot be used. +TCP-MD5 associations must use 0x1000 and therefore only have per-host +granularity at this time. .\" .Pp .It Ar extensions @@ -585,6 +589,7 @@ hmac-ripemd160 160 ah: 96bit ICV (RFC2857) ah-old: 128bit ICV (no document) aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) 128 ah-old: 128bit ICV (no document) +tcp-md5 8 to 640 tcp: rfc2385 .Ed .Pp Followings are the list of encryption algorithms that can be used as @@ -649,6 +654,8 @@ dump esp ; spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; +add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; + .Ed .\" .Sh SEE ALSO -- cgit v1.1